Wednesday, May 14, 2014

“Security
is invisible, and the OWASP foundation has the purpose of making
security visible”. That was the first thing I read about OWASP
when I was invited to talk about license contracts and security
at an OWASP local chapter conference. While listening an OWASP Top
Ten conference, my first concern was about how making security
visible for non technical users. Secure coding is not
visible for users, unless they have the skills to understand Java,
PHP, Java script, Ajax, HTML, and so on.

So
I thought about creating a Labeling Security System for making
security visible for Users. My peers thought it was a good idea,
because users could just read a Labeling logo, and know what it
represents in terms of security, GREAT. When I proposed the project
to OWASP, I found out that Jeff Williams proposed something similar
years ago. That encouraged my research.

The
system should be transversal, market wise, and it could be based on
other OWASP security projects. These are the labels:

1.Security
(secure coding). This label is for technical security in
Applications. Using recommended guides(such as OWASP top ten) and
tools(such as ZAP or Dependency Check) for developing and maintaining
the Application secure.

2.Privacy
(Trust). This label is for increasing User's trust on software
providers. Software should come free of non authorized spyware, and
it should process personal data in an “ethical” way.

3.
Ingredients (Transparency). This a label for Open source
software. Software components (including third party code) should
come in a human readable file, so users know what they are
installing.

4.
Openness(Open security). This is a label for Web applications.
Web applications could make available their last vulnerability scan
report.

The
4 labels are independent, as they confront different(but related)
security issues. Each one comes with a label clause, to be added into
the license agreement(if source code or binaries), or the Terms of
service(if Web applications, cloud services). By clicking the logo,
the users would connect to a database in the OWASP Security labeling
system Server, confirming the authenticity and reliability of the Web
application(or computer program) suscription.

However,
I found 3 issues in the opinion polls. I am working on those
issues:

(1)
Developers don't want to have a bad security ranking label on their
product(security label). There is not ranking. The only ranking
is 'good enough'.

(2)
Developers disclaim liability in their license agreements. There
is not liability by default. You are just responsible of what you
have offered, and you are not offering 100% security because that is
not possible. Therefore, you can still disclaim direct and indirect
damages.

(3)
Most IT administrators would not publish their own web application
vulnerabilities(openness label). This condition is not in real
time. You could publish your vulnerability reports after you have
fixed the Application problems. However, if the reports meet a time
criteria, (such as weekly), users can know that at least the web
application is maintained and fixed on a regular basis.

This
is the challenge, and I invite you all to join this project. The
Security Labeling system is FREE and OPEN. Let's make the Security
VISIBLE for all (including USERS).